1 / 120

Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems

Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems. Michael McEvilley SIGAda 2002 Tutorial SF3 December 8, 2002. Tutorial Objectives Understanding. Security concepts and the principles behind establishing trust in security functions

virgil
Download Presentation

Introduction to the Common Criteria and the Underlying Concepts of Trust in Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to the Common Criteriaand the Underlying Concepts of Trust in Computer Systems Michael McEvilleySIGAda 2002 Tutorial SF3December 8, 2002 1

  2. Tutorial ObjectivesUnderstanding • Security concepts and the principles behind establishing trust in security functions • The contents and concepts of the Common Criteria • The philosophy behind the CC and the resultant limitations of the CC

  3. Tutorial ObjectivesRecognition • The similarities and differences in establishing assurance for security critical and other critical application domains • Concepts vs. terminology • Development and verification processes

  4. Discussion Topics • Security Concepts & the CC • CC Document Conceptual Walk-through • CC Part I – Introduction & General Model • CC Part II – Functional Requirements • Requirements Organization, Overview, Operations • CC Part III – Assurance Requirements • Requirements Organization, Overview, Operations

  5. What Is the CC?“Common Criteria for Information TechnologySecurity Evaluation” • Common Criteria • Meta-standard containing constructs and criteria used to develop security specifications • Specification constructs • Protection Profile (PP) • Security Target (ST) • Requirements criteria • Functional • Assurance … in support of the evaluation of products and systems

  6. CC Functional Criteria • Specify the security properties of IT products and systems that address • Unauthorized disclosure (confidentiality, privacy) • Unauthorized modification (integrity) • Loss of use (availability) • Verification of identity (Identification and Authentication (I&A)) • Accountability for operations (audit, non-repudiation) • Provides a basis for comparison of different design or implementation solutions

  7. CC Assurance Criteria • Specify the properties for verification of development life-cycle activities • Specify the properties for accumulation and verification of a continuity of knowledge as systems evolve • Continuity of knowledge ~ maintenance • Provides a basis for comparison of the results of independent evaluations

  8. Introduction & General Model Part 1 Functional Requirements Part 2 Assurance Requirements Part 3 Application of the CC Process Independence CC constructs may be integrated with existing system life-cycle processes Technology Independence CC requirements are independent of technology and implementation – hardware, software, firmware Functionality Independence CC criteria is independent of requirements specific to any business or mission case Goal Independence Originally developed to support formal evaluation Being applied in new and diverse contexts

  9. CC Terms • Target of Evaluation (TOE) • An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation • Differentiation between product and system is not clear - think components • Single component TOE • Multi-component TOE • System TOE

  10. CC Terms • TOE Security Policy (TSP) • Set of rules that define how resources are managed, protected and distributed by the TOE • TOE Security Functions (TSF) • The parts of the TOE implementation that are relied upon for the correct enforcement of the TOE Security Policy (TSP) • TSF Interfaces (TSFI) • Interfaces to the TOE security functions • internal to the TOE • external to the TOE

  11. CC Terms • IT Environment • IT components that are not part of the TOE but with which the TOE shares a trusted relationship • Trust relationship – authentication of communication participants and secure methods to transfer information • Non-IT Environment • The physical aspects of the location(s) in which the TOE is placed and operates

  12. IllustrationTOE, TSF, TSFI TOE Non-Security Functions TSF Interfaces (TSFI) Target of Evaluation (TOE) TOE Security Functions (TSF)

  13. IllustrationNon-IT Environment Non-IT Environment • Non-IT environment consists of the physical aspects of the location(s) in which the TOE is placed and operates. TOE

  14. IT Product IT Product IllustrationIT Environment The general environment is enclosed inside the square, i.e., the ‘world’ • TOE Environment is enclosed inside the circle • Non-IT environment • implemented by the physical world TOE • IT Environment • implemented by IT capabilities

  15. IT Product Practical IllustrationWeb Server (TOE) - Certificate Server (IT Environment) TOE Non-IT environment of the Web Server (TOE) Non-IT environment of the Certificate Server (IT environment of the TOE)

  16. Interfaces • Rules for interaction between components • Typically specified independent of functionality • message interface • programming interface (API) • services interface • plug-in interface • May be internal or external

  17. Trust Relationships • Rules for secure interaction between components • special form of interface • subset of interface specification • From the CC perspective • internal to the TOE • between the TOE and a remote trusted component • the IT environment

  18. Establishing Trust Relationships • Trusted channels provide mechanism for trust relationships between security components • authentication of endpoints • secure communication protocol • integrity, confidentiality, recovery • Trusted channels provide mechanism for trust relationship between user and TSF

  19. CC Trust Relationship Terms • Trusted Channel • the means by which the TSF communicates securely with another part of the TSF or with a remote trusted IT product • Trusted Path • the means by which a user communicates securely with the TSF • trusted paths are built on trusted channels

  20. Trust relationship between TOE and IT environment requires establishment of trust between the communicants via two-way authentication protecting information from modification and disclosure Trusted Relationship ConceptTOE & IT Environment TOE IT Product Security Functions TSF Trusted Channel Trusted Interface

  21. No IT Environment - the TSF is a single logical entity although the parts are physically distributed Regardless, the requirements remain establishment of trust between the distributed TSF components protecting information from modification and disclosure Trusted Relationship ConceptNetworked/Distributed TOE TOE TOE TSF TSF Internal Channel of the TOE Trusted Interface

  22. Security Evaluation Issues TSF TOE (Operating System) Process Management TSF File Management Memory Management • TSF consists of three subsystems • one external interface to TSF • three internal subsystem interfaces

  23. Descriptive Walkthrough of the Common Criteria 23

  24. Introduction & General Model Part 1 Common CriteriaPart I Introduction & General Model 24

  25. The CC Requirements Specification Framework Specification Constructs Protection Profiles Security Targets Packages 25

  26. Specification Framework Purpose • Present a “Security Case” • Context problem statement • Introduction • TOE Description • Environment information • Assumptions, Threats, Policies • Statement of solution • Objectives • Functional and assurance requirements • Rationale to substantiate the solution

  27. CC Specification Constructs • Protection Profile (PP) • An implementation-independent characterization of required security capabilities and verification activities • Security Target (ST) • A implementation-dependent statement of security capabilities and verification activities used as the basis for the TOE evaluation • Complete requirement and implementation detail • Package • Reusable set of functional and/or assurance requirements

  28. Purpose of the PP • To provide a means for statement of security requirement needs • for acquisition • for development • for certification & accreditation • for any unique security documentation requirement • PPs establish ... • a basis for ST development • a common reference for ST comparison and assessment

  29. Protection Profile Granularity • Requirement detail granularity is the discretion of the PP author . . . . . Capability or Technology Focused PP Abstract High Level Conceptual PP Increasing detail & constraints - less options & flexibility

  30. Purpose of the ST • To provide a means for developers and system integrators to state the security requirement of a component, product or system • in response to a PP • independent of a PP • STs establish • the basis for a TOE evaluation

  31. Identification Overview TOE Description Security Environment Assumptions, Threats, Policies Security Objectives Security Requirements Functional, Assurance (EAL) Rationale PP/ST Contents/Comparison Security Target Protection Profile • Identification • Overview • TOE Description • Security Environment • Assumptions, Threats, Policies • Security Objectives • Security Requirements • Functional, Assurance (EAL) • Rationale • TOE Summary Specification • CC Conformance Claim • PP Claims

  32. PP Evaluation • Verifies that the PP meets the criteria defined by the APE assurance class • Technical correctness vs. applicability • Establishes an approved specification repository from which compliant components may be developed or verified • Often referred to as a registry • Managed by a controlling [regulatory] organization

  33. ST Evaluation • Verifies that the ST serves as a suitable basis for the TOE evaluation • Technical correctness • Verifies that the ST is an accurate instantiation of each profile to which it claims compliance • PP compliance claim is optional • The ST is typically evaluated with the TOE

  34. ST & TOE Evaluation • TOE evaluation includes ST, TOE and evaluation evidence • ST must be evaluated first to establish a basis for the TOE evaluation • ST evaluation is not complete until the TOE evaluation completes • ST must be sufficiently complete to enable the TOE evaluation

  35. PP/ST Relationship • A ST may be derived from a PP • A ST may be developed independent of a PP • The ST author has the option to establish the relationship between the ST and a PP • referred to as a PP Claim • one ST may be related to multiple PPs • each PP claim must be substantiated by the ST author

  36. CC Requirements Specification Framework (PP/ST) Contents 36

  37. Basis for Requirements ALL TOE security requirements ultimately arise from consideration of the purpose of the TOE and the context in which the TOE operates

  38. PP/ST Development Activities Establish Security Environment Substantiation Establish Security Objectives Substantiation Derivation Establish Security Requirements Derivation A specification framework with checks and balances to provide end-to-end correctness

  39. PP/ST Development ActivitiesEstablish Security Environment TOE IT Environment TOE Scope and Purpose TOE Physical (Non-IT) Environment Assets Requiring Protection Establish Security Environment Organizational Security Policies (OSPs) Secure Usage Assumptions Threats

  40. PP/ST Development ActivitiesEstablish Security Objectives Organizational Security Policies (OSPs) Secure Usage Assumptions Threats Establish Security Objectives IT Environment Objectives Non-IT Environment Objectives TOE Objectives

  41. PP/ST Development ActivitiesEstablish Security Requirements Non-IT Environment Objectives CC Part II & Part III Requirements Catalog TOE Objectives IT Environment Objectives Establish Security Requirements Non-IT Environment Requirements TOE Functional Requirements TOE Assurance Requirements Interface to IT Environment Requirements

  42. The Security Environment Secure Usage Assumptions Threats Organizational Security Policy (OSP) 42

  43. Security Environment Components • Assumptions • The security aspects of the environment in which the TOE will be used or is intended to be used • Threats • The ability to exploit a vulnerability by a threat agent • Organizational Security Policies (OSPs) • A set of rules, procedures, practices, or guidelines imposed by an organization upon its operations

  44. Assumptions“The security aspects of the environment in which the TOE will be used or is intended to be used” • Assumptions are “assertions of expectations” regarding • secure usage of the TOE • scope and boundary of the TOE • placement of the TOE in its environment • interaction with other IT (IT environment) • interaction with people (Non-IT environment) • Assumptions establish context for all that follows in the PP/ST

  45. Using Assumptions • Assumptions must not • impose requirements on the TOE or on its IT environment • have IT aspects of objectives mapped to them • be used to mitigate legitimate threats that are to be countered by the TOE or its IT environment • Assumptions must • be considered as requirements for the Non-IT environment • Assumptions always • result in objectives for the Non-IT environment

  46. Assumption Examples • A.Physical_Protection • The TOE is installed in a restricted and controlled access area sufficient to prevent unauthorized physical access to the TOE. • A.Dedicated_Network • The TOE is installed on an isolated network that is dedicated to the TOE and that is not connected to any other network.

  47. Threats“The ability to exploit a vulnerability by a threat agent” • Threat definition is accomplished through a Vulnerability Analysis that give insight to the threats • against the TOE • against the environment of the TOE (IT & Non-IT) • inherent to technology/personnel/operations • Threats are countered • by the TOE • by the IT environment of the TOE • by the Non-IT environment of the TOE

  48. Focus of Threat Statements • Threats provide a basis for statement of countermeasures • Threats SHALL address • the attack • the attacker • the assets • the implications of the successful attack • Threats SHOULD address • attacker motivation, expertise • risk of threat being realized

  49. Threat Examples T.Intercept An individual obtains unauthorized access to controlled information by intercepting information transmitted to/from the TOE. T.Authentication An individual obtains unauthorized access to the TOE by a. impersonating an authorized user of the TOE, b. replaying a successful authentication session, c. unauthorized use of an authorized users existing session

  50. Organizational Security Policy “A set of rules, procedures, practices, or guidelinesimposed by an organization upon its operations” • PP/ST author discretion to include/exclude policy • Policy required • If some aspect of the policy is to be enforced by the TOE or by the IT environment of the TOE • Policy optional • If no aspect of the policy is to be enforced by the TOE or by the IT environment of the TOE

More Related